From owner-freebsd-questions@FreeBSD.ORG Wed Aug 6 15:38:46 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D0481065674 for ; Wed, 6 Aug 2008 15:38:46 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: from mx1.identry.com (on.identry.com [66.111.0.194]) by mx1.freebsd.org (Postfix) with ESMTP id BB7798FC20 for ; Wed, 6 Aug 2008 15:38:45 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: (qmail 5078 invoked by uid 89); 6 Aug 2008 15:38:43 -0000 Received: from unknown (HELO ?192.168.1.110?) (jalmberg@75.127.142.66) by mx1.identry.com with ESMTPA; 6 Aug 2008 15:38:43 -0000 Mime-Version: 1.0 (Apple Message framework v752.3) In-Reply-To: <3A0AA7018522134597ED63B3B794C92A028ECB61@STA-HQ-S001.starcomms.local> References: <26259A11-0CE7-43FB-878C-1A989C1EB006@identry.com> <3A0AA7018522134597ED63B3B794C92A0284D829@STA-HQ-S001.starcomms.local> <3A0AA7018522134597ED63B3B794C92A028ECB61@STA-HQ-S001.starcomms.local> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <8722E123-56D1-4CA0-8F57-DB0FB299EBD3@identry.com> Content-Transfer-Encoding: 7bit From: John Almberg Date: Wed, 6 Aug 2008 11:38:40 -0400 To: freebsd-questions@freebsd.org X-Mailer: Apple Mail (2.752.3) Subject: Re: Controlling read access X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2008 15:38:46 -0000 > Hello John, > > There are some things that you can try. > > What if you connect from localhost and transfer files, is it still > very > slow? > Try to disable TLS/SSL and see if this improve performance. > Increase debug level and check the log for any errors. Well, I am learning lots about FTP :-) I didn't realize that FTP uses extra ports for data channels (yes, I am a newbie). I use the PF firewall, which of course was blocking the needed ports. Once I opened them, the connections worked perfectly. I also moved the control port from 21 to a higher port, and disabled insecure FTP connections, requiring TLS/SSL for login. I also added pureftpd-enable="YES" to rc.conf, so I can start it up with /usr/local/etc/rc.d/pure-ftpd restart. So far, so good (newbie pats himself on back.) :-) Now I have just one major league problem: when I logged in as one of the users, to test the connections, I discovered that I had SUPER POWERS. I was able to delete any file that I could see, including ones that were owned by root. Digging uncovered the fact that pure- ftpd runs with root privileges... not so good for my situation. My guess is I need to compile with the --with-privsep switch turned on... So, finally I have a real FreeBSD question! What is the proper way, in ports, to set a configuration flag? The only way I could figure out was to add it to the Makefile. PRIVSEP "Enable privilege separation" on \ If this is the correct way to turn this compile switch on, it doesn't seem to work. After running: make deinstall make config # checking the privilage separation box make reinstall The logged in user can still delete any file, regardless of permissions or ownership. This is clearly a problem... I don't want my users to be able to blow away their own websites while they are uploading some images. I am still digging for info on this problem. Any thoughts, much appreciated! -- John